Was classic NAT order of operations updated?

MonakhovPS · ‎04-16-2019

Hello.

I always thought that there is at least two different NAT with different order of operations

Classic NAT (ip nat inside, ip nat outside, ip nat inside source...). If packet is going from inside to outside there is routing first, than NAT second.
NVI NAT (ip nat enable, ip nat source...). There is routing first, NAT second, than one more routing third.

I tried to check limitation of classic NAT on CISCO2901 with IOS 15.5.

Topology is in attachment.

R3 is classic NAT enabled router. NAT configuration below:

int s0/0/0

ip nat inside

int s0/0/1

ip nat inside

int g0/1

ip nat outside

ip nat pool POOL_NAT1 209.165.201.1 209.165.201.1 netmask 255.255.255.248
ip nat inside source list ACL_NAT1 pool POOL_NAT1 overload
ip nat inside source static 10.1.2.11 209.165.201.2

ip access-list standard ACL_NAT1
permit 10.1.13.0 0.0.0.7
permit 10.1.1.0 0.0.0.255

I'm pinging S2 NATed external address 209.165.201.2 from S1 10.1.1.11 and ping is successful. As I know, there must be failure because of classic NAT limitations.

Was classic NAT order of operations updated in IOS 15? Also after issuing ip nat inside or ip nat outside command router automatically creates interface NVI0.

MonakhovPS · ‎04-16-2019

I disabled cef and enabled debug on R3. Debug output is below. Maybe I'll have time tommorow to make tests with some older IOS.

R3#show debug
Generic IP:
IP packet debugging is on for access list 2
IP NAT debugging is on
IP NAT detailed debugging is on

*Apr 16 18:13:36.517: IP: s=10.1.1.11 (Serial0/0/0), d=209.165.201.2, len 100, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=10.1.1.11 (Serial0/0/0), d=209.165.201.2, len 100, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=10.1.1.11 (Serial0/0/0), d=209.165.201.2, len 100, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=10.1.1.11 (Serial0/0/0), d=209.165.201.2, len 100, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=10.1.1.11 (Serial0/0/0), d=209.165.201.2, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: tableid=0, s=10.1.1.11 (Serial0/0/0), d=209.165.201.2 (GigabitEthernet0/1), routed via RIB
*Apr 16 18:13:36.517: mapping pointer available mapping:0
*Apr 16 18:13:36.517: NAT: [0] Allocated Port for 10.1.1.11 -> 209.165.201.1: wanted 21 got 21
*Apr 16 18:13:36.517: NAT: i: icmp (10.1.1.11, 21) -> (209.165.201.2, 21) [101]
*Apr 16 18:13:36.517: NAT: s=10.1.1.11->209.165.201.1, d=209.165.201.2 [101]
*Apr 16 18:13:36.517: IP: s=209.165.201.1 (Serial0/0/0), d=209.165.201.2 (GigabitEthernet0/1), len 100, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=209.165.201.1 (Serial0/0/0), d=209.165.201.2 (GigabitEthernet0/1), len 100, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=209.165.201.1 (Serial0/0/0), d=209.165.201.2 (GigabitEthernet0/1), len 100, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 18:13:36.517: IP: s=209.165.201.1 (Serial0/0/0), d=209.165.201.2, len 100, rcvd 6
*Apr 16 18:13:36.517: IP: s=209.165.201.1 (Serial0/0/0), d=209.165.201.2, len 100, stop process pak for forus packet
*Apr 16 18:13:36.517: NAT: o: icmp (209.165.201.2, 21) -> (209.165.201.1, 21) [101]
*Apr 16 18:13:36.517: NAT: s=209.165.201.2, d=209.165.201.1->10.1.1.11 [101]